Mobile Services Security: Mobile Platform Security AF Security
Security
-
Upload
jacknickelson -
Category
Documents
-
view
671 -
download
0
description
Transcript of Security
EESecurity & Technology SolutionsSecurity & Technology Solutions
Security StrategyAn Overview
January 22, 2003
Security StrategyAn Overview
January 22, 2003
2 EESecurity & Technology SolutionsSecurity & Technology Solutions
Digital Risk is a Component of Enterprise Risk
Areas of digital risk in your organization include:
Effective and efficient control environment
Security and availability of digital information
System privileges and access controls
Disruption from intrusions or viruses
Threats to business continuity
IT Dept.
Customers
Business Partners
Management
Shareholders
Business Initiatives
CEO, CIO, CFORisk Officer
General Counsel
Board ofDirectors
AuditCommittee
EffectivelyManage Risk
Establish Trust
Enhance or Manage Brand
Regulators
Employees
ORGANIZATIONAL GOALS
DECISION MAKERS
STAKEHOLDERS
“Digital risk is the exposure to loss or damage from the reliance upon information technology to achieve organizational goals.”
3 EESecurity & Technology SolutionsSecurity & Technology Solutions
Security is a Critical Component of the Digital Risk Agenda
4 EESecurity & Technology SolutionsSecurity & Technology Solutions
Rudy Giuliani’s Call to ActionRudy Giuliani’s Call to ActionThe time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.
The time has come for senior executives of U.S. corporations to follow the President's lead and make security a mainstream business critical, board-level issue…the time when security-related decisions could be left to persons at a mid-manager level or decided solely upon budgetary considerations has passed. Senior executives must now take the steps to plan, prepare and practice to address their organizational security threats and challenges.
5 EESecurity & Technology SolutionsSecurity & Technology Solutions
What is the Digital Frontier?What is the Digital Frontier?The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements.
The digital frontier is the forward edge of technological impact with respect to organizations’ usage of technology and their reliance upon it for productivity improvements.
Relianceon IT
Relianceon IT
HighHigh
LowLowLowLow HighHighIT UsageIT Usage
ProductivityImprovementProductivityImprovement
MobileMobile
InternetInternet
Client/ServerClient/Server
1970s1970s 1980s1980s 1990s1990s 2000s2000s
MFMF
6 EESecurity & Technology SolutionsSecurity & Technology Solutions
Increase Security RisksIncrease Security RisksAs organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures.
As organizations invest for productivity improvement to the edge of digital frontier they also encounter increased security risks via a greater impact of and probability of technology failures.
HighHigh
LowLowLowLow HighHigh
1970s1970s 1980s1980s 1990s1990s 2000s2000s
MobileMobile
InternetInternet
Client/ServerClient/Server
MFMF
Impact of Failure
Impact of Failure
Increased Risk
Increased Risk
Probability of Failure
Probability of Failure
7 EESecurity & Technology SolutionsSecurity & Technology Solutions
The Security FrontierThe Security Frontier
ProductivityImprovement/Increased Risk
ProductivityImprovement/Increased RiskReliance on IT
Impact of FailureReliance on IT
Impact of Failure
HighHigh
LowLowLowLow HighHighIT Usage
Probability of FailureIT Usage
Probability of Failure
1970s1970s 1980s1980s 1990s1990s 2000s2000s
The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.The digital frontier and corresponding security risk combine to create a new frontier. We call this the security frontier.
8 EESecurity & Technology SolutionsSecurity & Technology Solutions
The Digital Security GapThe Digital Security GapCaught up in the pursuit of productivity improvements, management apparently overlooked security.Caught up in the pursuit of productivity improvements, management apparently overlooked security.
TotalSpending
TotalSpending
HighHigh
LowLow
1990’s1990’s 2000’s2000’sTimeTime
Total Security SpendingTotal Security Spending
Total IT Spending
Total IT Spending
DigitalSecurity
Gap
9 EESecurity & Technology SolutionsSecurity & Technology Solutions
Threats & Gaps are RealThreats & Gaps are Real
Al-Qaeda members…are trying to hack into American computers that control water, electrical and communications facilities including 911 networks in at least 30 municipalities.
Technologist say U.S. business are not prepared for a major cyberattack, according to a July study by the Business Software Alliance. .
Al-Qaeda members…are trying to hack into American computers that control water, electrical and communications facilities including 911 networks in at least 30 municipalities.
Technologist say U.S. business are not prepared for a major cyberattack, according to a July study by the Business Software Alliance. .
Sept. 16, 2002Sept. 16, 2002
Sept. 9, 2002Sept. 9, 2002
10 EESecurity & Technology SolutionsSecurity & Technology Solutions
Prepare to defend the digital frontier by…
And then, create a highly effective digital security program.
Prepare to defend the digital frontier by…
And then, create a highly effective digital security program.
Closing the GapClosing the Gap
Determining where your organization is relative to the frontier
Establishing responsibilities
Defining priorities
Understanding threats and vulnerabilities
Determining where your organization is relative to the frontier
Establishing responsibilities
Defining priorities
Understanding threats and vulnerabilities
11 EESecurity & Technology SolutionsSecurity & Technology Solutions
6 Key Security Characteristics6 Key Security Characteristics6 Key Security Characteristics6 Key Security Characteristics
12 EESecurity & Technology SolutionsSecurity & Technology Solutions
1) Aligned1) Aligned
BusinessObjectivesBusiness
Objectives
DigitalAssetsDigitalAssets
ITOrganization
ITOrganization
DigitalSecurityDigital
Security
Aligned
Aligned
The attainment and maintenance of appropriate alignment between digital security, the IT organization, digital asset and business objectives.
The attainment and maintenance of appropriate alignment between digital security, the IT organization, digital asset and business objectives.
The distance between the top levels of management and the security team is known as the Security Management Gap.
The distance between the top levels of management and the security team is known as the Security Management Gap.
79% of respondents in the 2002 Ernst & Young Digital Security Overview survey indicated that the documentation, implementation, and follow-through cycle for their information security policies was not being carried out completely.
13 EESecurity & Technology SolutionsSecurity & Technology Solutions
2) Enterprise-Wide2) Enterprise-Wide
CorporateCorporate
A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.
A holistic view of the security needs for the entire organization, as well as its extended enterprise, to ensure consistent, efficient deployment. Critical authority is given to a centralized body to ensure consistently highly effective security throughout the organization.86% of companies surveyed have intrusion detection systems in place. However, of those companies, only 35% actively monitor 95% to 100% of their critical servers for intrusions.
14 EESecurity & Technology SolutionsSecurity & Technology Solutions
3) Continuous3) Continuous
Real-time monitoring and updating of all security policies, procedures, and processes to ensuring a timely response to issues and opportunities.
Real-time monitoring and updating of all security policies, procedures, and processes to ensuring a timely response to issues and opportunities.
46% of respondents indicated that they use manual or partially automated methods of tracking physical assets as opposed to fully automated methods.
Not occasionally. Not periodically.
Continuously.Continuously.
Not occasionally. Not periodically.
Continuously.Continuously.
15 EESecurity & Technology SolutionsSecurity & Technology Solutions
4) Proactive4) Proactive
Initial AssessmentInitial AssessmentOngoing MonitoringOngoing Monitoring
Periodic AssessmentPeriodic Assessment
HighHigh
RiskIntelligence
RiskIntelligence
LowLow
TimeTime
ProactiveProactive
TraditionalTraditional
The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity, and availability of these digitally.
The ability of a security program to be able to effectively anticipate potential threats and vulnerabilities and to maintain the confidentiality, integrity, and availability of these digitally.Only 16% percent of respondents have wide-scale deployment of vulnerability tracking mechanism, and knowledge of all critical information vulnerabilities.
16 EESecurity & Technology SolutionsSecurity & Technology Solutions
5) Validated5) Validated
PeerPeer
3rd Party3rd Party
SelfSelf
To a UnitTo a Unit
To a Business Objective
To a Business Objective
To a Standard
To a Standard
Rigor of ValidationRigor of Validation
DeployedDeployed
ValidatedValidated
TestedTested
Achieving highly effective digital security requires third-party validation of critical security components and business objectives.
Achieving highly effective digital security requires third-party validation of critical security components and business objectives.
66% of respondents indicated that their information security policies are not in complete compliance with the domains defined by ISO 17799, CISSP, Common Criteria, or other recognized models.
17 EESecurity & Technology SolutionsSecurity & Technology Solutions
6) Formal6) Formal
Doc
umen
ted
Doc
umen
ted
MinimallyMinimally HighlyHighlyConfirmedConfirmed
Min
imal
lyM
inim
ally
Hig
hly
Hig
hly
Documented
Documented
Formal
Experienced-
based
Experienced-
basedSitu
ational
Situatio
nal
Policies, standards, and guidelines, which provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization.
Policies, standards, and guidelines, which provide fundamental direction on digital security issues and are endorsed by senior staff. To be formal, they must be documented and tested, then communicated to every member of the organization. 13% of respondents have integrated business continuity and disaster recovery plans that address recovering the entire enterprise. 7% indicated they have no documented plans in place.
18 EESecurity & Technology SolutionsSecurity & Technology Solutions
Technology and Business Objective Drives RequirementsTechnology and Business Objective Drives Requirements
ImpactImpact
HighHigh
LowLow
LowLow HighHighProbability of FailureProbability of Failure
Minimum Standards Zone
Security Requirements ZonesSecurity Requirements Zones
InformationKiosk
Managed Risk ZoneManaged Risk Zone
Trusted System ZoneTrusted System Zone
Bank ATMBank ATM Health CareSystem
Health CareSystem Financial
SystemFinancialSystem
ElectricalPower
ElectricalPower
eCommerceSystem
eCommerceSystem
PublicWeb Server
PublicWeb Server
EmailServerEmailServer
19 EESecurity & Technology SolutionsSecurity & Technology Solutions
The Security AgendaThe Security AgendaThe Security AgendaThe Security Agenda
20 EESecurity & Technology SolutionsSecurity & Technology Solutions
9 Strategic Areas of “The Security Agenda”9 Strategic Areas of “The Security Agenda”
SecurityStrategySecurityStrategy
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Privacy
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Privacy
Asset & Service Management
Vulnerability Management
Entitlement Management
Asset & Service Management
Vulnerability Management
Entitlement Management
Business ContinuityBusiness Continuity
21 EESecurity & Technology SolutionsSecurity & Technology Solutions
Complex Organizational TransformationComplex Organizational Transformation
TECHNOLOGYTECHNOLOGY
PROCESS
PROCESSPE
OPL
EPE
OPL
EAll 3
Components Needed
All 3 Components
Needed
22 EESecurity & Technology SolutionsSecurity & Technology Solutions
Intrusion
and Virus
Detection
Intrusion
and Virus
Detection
DatabaseDatabase
RouterRouter
FirewallFirewall
Web
Server
Web
Server
SNMPSNMP
BiometricsBiometrics
ApplicationApplication
Operating
System
Operating
System
Intrusion and Virus DetectionIntrusion and Virus Detection
23 EESecurity & Technology SolutionsSecurity & Technology Solutions
Incident
Response
Program
Incident
Response
Program
Mobilize AdministerEvent
Lifecycle
Event
Lifecycle
Program
Lifecycle
Program
Lifecycle
Incident ResponseIncident Response
24 EESecurity & Technology SolutionsSecurity & Technology Solutions
Independent VerificationService Provider ComplianceData Registration
Independent VerificationService Provider ComplianceData Registration
Ongoing Monitoring
Re-certification
Ongoing Monitoring
Re-certification
Stakeholder Expectations
Legislation Organization
Stakeholder Expectations
Legislation Organization
Remediation Plans Training
Remediation Plans Training
Benchmarking/Roadmaps
People
Policies
Operations
Technology
Benchmarking/Roadmaps
People
Policies
Operations
Technology
VERIFYVERIFY
MAINTAINMAINTAIN
IMPROVEIMPROVE
DIAGNOSEDIAGNOSE
BASELINEBASELINE
PrivacyPrivacy
25 EESecurity & Technology SolutionsSecurity & Technology Solutions
Policies, Standards
and Guidelines
Policies, Standards
and Guidelines
Policies, Standards, and GuidelinesPolicies, Standards, and Guidelines
26 EESecurity & Technology SolutionsSecurity & Technology Solutions
Physical SecurityPhysical Security
PHYSICALSECURITY
Fences, Walls, GatesGuards, Cameras
Biom
etrics, Infrared,
Authentication, Surveillance
Bio
met
rics
, Inf
rare
d,
Aut
hent
icat
ion,
Sur
veill
ance
Structural
Pro
cedu
ral
Digital
27 EESecurity & Technology SolutionsSecurity & Technology Solutions
TECHNOLOGYTECHNOLOGY
PROCESS
PROCESSPE
OPL
EPE
OPL
EC
able
an
d C
ircu
it
Portfolio
Fin
ancial
ProcurementContracts
Management and Track Assets
Automate Processes
Management and Track Assets
Automate Processes Manage Asset Financial
Information
Budget AnalysisM
anage Asset Financial
Information
Budget AnalysisMan
age
Conn
ectiv
ityan
d Ca
ble
Plan
t
Man
age
Conn
ectiv
ityan
d Ca
ble
Plan
t
Aid Decision-making
Streamline Processes
Aid Decision-making
Streamline Processes
Manage and Track
Contracts
Manage and Track
Contracts
ASSETMANAGEMENT
ASSETMANAGEMENT
Asset & Service ManagementAsset & Service Management
28 EESecurity & Technology SolutionsSecurity & Technology Solutions
IT ProcessIT Process
CFO
Team
CFO
Team
Expanding controlExpanding control
IT Audit
Team
IT Audit
Team
CIO
Team
CIO
Team
Security
Team
Security
Team
AccountabilityAccountability
DeploymentDeployment
KnowledgeKnowledge
Expanding scope over critical infrastructureExpanding scope over critical infrastructure
Technology & PeopleTechnology & People
Key
Assets
Team
Key
Assets
Team
Security
Systems
Team
Security
Systems
Team
Key
Assets
Team
Key
Assets
Team
Key
Assets
Team
Key
Assets
Team
Key
Assets
Team
Key
Assets
Team
Compliance
Audit Ability
Governance and Accountability
Compliance
Audit Ability
Governance and Accountability
All Critical
Infrastructure
All Critical
Infrastructure
Workflow/Tracking
Feasible Deployment
Know Critical Assets
Workflow/Tracking
Feasible Deployment
Know Critical Assets
Serve and
Protect Systems
Serve and
Protect Systems
Configurations
Policies
Alerts
Configurations
Policies
Alerts
Just
Protect
Systems
Just
Protect
Systems
Vulnerability ManagementVulnerability Management
29 EESecurity & Technology SolutionsSecurity & Technology Solutions
Entitlement
Management
Entitlement
Management
Identity
Management
Identity
Management
Access
Management
Access
ManagementSecure Portals
Data Model
Metadirectory
Authentication Management
Secure Portals
Data Model
Metadirectory
Authentication Management
Single Sign-On
Access Control
User Management
Policy Management
Single Sign-On
Access Control
User Management
Policy Management
Entitlement ManagementEntitlement Management
30 EESecurity & Technology SolutionsSecurity & Technology Solutions
DEFINE
DEFINE
AN
ALYZE
AN
ALYZE
DESIGN
DESIGN
IMPLEM
ENT
IMPLEM
ENT
Business
Continuity
Roadmap
Business
Continuity
Roadmap
Business
Impact
Assessment
Business
Impact
AssessmentThreat
and Risk
Assessment
Threat
and Risk
Assessment
Recovery
Strategies
Recovery
Strategies
Business
Continuity
Plan
Business
Continuity
Plan
Plan
Maintenance
Program
Plan
Maintenance
Program
Business ContinuityBusiness Continuity
31 EESecurity & Technology SolutionsSecurity & Technology Solutions
A Scorecard for Evaluation & ActionA Scorecard for Evaluation & Action
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Privacy Asset & Service
Management
Vulnerability Management
Entitlement Management
Business Continuity
Policies, Standards, & Guidelines
Intrusion & Virus Detection
Incident Response
Physical Security
Privacy Asset & Service
Management
Vulnerability Management
Entitlement Management
Business Continuity
Alig
ned
Alig
ned
Ent
erpr
ise-
wid
e
Ent
erpr
ise-
wid
eC
ontin
uous
Con
tinuo
usP
roac
tive
Pro
activ
e
Val
idat
ed
Val
idat
ed
Form
al
Form
al
High RiskHigh Risk Medium RiskMedium Risk Low RiskLow Risk
32 EESecurity & Technology SolutionsSecurity & Technology Solutions
Service ManagementService Management
C E OC E O
Public, Media,Government Relations
Public, Media,Government Relations Security CommitteeSecurity Committee
PlanningPlanning ArchitectureArchitecture OperationsOperations MonitoringMonitoring
Security OfficerSecurity OfficerAsset ManagementAsset ManagementPhysical SecurityPhysical Security
Continuity PlanningContinuity Planning
Privacy OfficerPrivacy Officer
Business Requirements Education Formal Communications Governance Policies Project Management Risk Assessment
Requests for Proposals (RFP)
Standards & Guidelines Technical
Requirements/Design Technical Security
Architecture Technology Solutions
Incident Response Access Control/ Account
Management Investigations Standards/Solutions
Deployment Training & Awareness Vulnerability Management
Auditing Reporting Systems Monitoring Security Testing
Security Organizational FrameworkSecurity Organizational Framework
33 EESecurity & Technology SolutionsSecurity & Technology Solutions
The Roadmap for SuccessThe Roadmap for SuccessThe Roadmap for SuccessThe Roadmap for Success
34 EESecurity & Technology SolutionsSecurity & Technology Solutions
Executive management must understand Executive management must understand
Scenario-based simulations – Table-Top Exercises
The organizations response
Critical roles and responsibilities
Actions plans to minimize the effect of an incident
Monitor and test responses
Scenario-based simulations – Table-Top Exercises
The organizations response
Critical roles and responsibilities
Actions plans to minimize the effect of an incident
Monitor and test responses
35 EESecurity & Technology SolutionsSecurity & Technology Solutions
Model and Define RiskEstablish consistent threat categories
Model and Define RiskEstablish consistent threat categories
Digital Impact/RiskDigital Impact/RiskDigital Impact/RiskDigital Impact/Risk
Risk toRisk toCustomer SegmentCustomer Segment
Risk toRisk toCustomer SegmentCustomer Segment
Risk to MultipleRisk to MultipleCustomersCustomers
Risk to MultipleRisk to MultipleCustomersCustomers
Chronic or SeriesChronic or Seriesof Inefficienciesof Inefficiencies
Chronic or SeriesChronic or Seriesof Inefficienciesof Inefficiencies
Core Process orCore Process orSystem ShutdownSystem ShutdownCore Process orCore Process or
System ShutdownSystem Shutdown
TacticalTacticalInefficienciesInefficiencies
TacticalTacticalInefficienciesInefficiencies
Dept. of HomelandSecurity Risk
Dept. of HomelandSecurity Risk
SevereSevere
HighHigh
Elevated
GuardedGuarded
LowLow11
22
3
44
55
GreenGreen
BlueBlue
Yellow
OrangeOrange
RedRed
Homeland
LevelHomeland
LevelCategory
LevelCategory
Level
36 EESecurity & Technology SolutionsSecurity & Technology Solutions
Frequency of OccurrenceFrequency of Occurrence
HighHigh
LowLowLowLow HighHigh
Impact of OccurrenceImpact of Occurrence
Understand Risk Posture CurveUnderstand Risk Posture Curve
Low,1
Low,1
Impact Level
Impact Level
Guarded
,2
Guarded
,2Eleva
ted,3
Eleva
ted,3
High,4
High,4
Sever
e,5
Sever
e,5
Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization
You risk posture changes as the environment and technology changes
Each of the 9 areas of the security agenda determine your risk posture, or how events will effect your organization
You risk posture changes as the environment and technology changes
37 EESecurity & Technology SolutionsSecurity & Technology Solutions
The Fulcrum of ControlThe Fulcrum of Control
Impact of Occurrence
Impact of Occurrence
HighHigh
LowLowLowLow HighHigh
Frequency of OccurrenceFrequency of Occurrence
55
44
33
11
ImmediateAction
ImmediateAction
ROIDecisionROI
Decision
Fulcru
m o
f Contro
l
Fulcru
m o
f Contro
l
The ability to control & contain digital security incidents is the key to success
Management must determine this tipping point or fulcrum and use it to drive their focus
The ability to control & contain digital security incidents is the key to success
Management must determine this tipping point or fulcrum and use it to drive their focus
22
38 EESecurity & Technology SolutionsSecurity & Technology Solutions
Forces Affecting RiskForces Affecting Risk
Every time technology is changed or deployed the risk posture curve moves
Management must recognize this and deploy security resources accordingly
Every time technology is changed or deployed the risk posture curve moves
Management must recognize this and deploy security resources accordingly
Impact of Occurrence
Impact of Occurrence
HighHigh
LowLowLowLow HighHigh
Frequency of OccurrenceFrequency of Occurrence
55
44
33
22
11
New or ChangedTechnologyNew or ChangedTechnology
RiskManagementRiskManagement
39 EESecurity & Technology SolutionsSecurity & Technology Solutions
Manage Risk for a Competitive AdvantageManage Risk for a Competitive Advantage
Impact of Occurren
ce
Impact of Occurren
ce
HighHigh
LowLow
LowLow HighHighFrequency of OccurrenceFrequency of Occurrence
11
22
33
44
55
Company A
Company AIndustry
Industry
Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success
Maintaining digital availability when your competitors in your industry fail is critical for most companies long-term success
40 EESecurity & Technology SolutionsSecurity & Technology Solutions
Security “Orbit of Regard”Security “Orbit of Regard”
CEOCEO
Products/Services
Products/Services
MarketShare
MarketShare
CustomerService
CustomerService
GrowthGrowth
DigitalSecurity
2000s
DigitalSecurity
2000s DigitalSecurity
1990s
DigitalSecurity
1990s
DigitalSecurity
1980s
DigitalSecurity
1980s
Security is a top executive issue
Today, companies will compete on being able to respond to a digital threat
Top executives must close the digital security gap.
Security is a top executive issue
Today, companies will compete on being able to respond to a digital threat
Top executives must close the digital security gap.
41 EESecurity & Technology SolutionsSecurity & Technology Solutions
Highly Effective Security Cultures:Highly Effective Security Cultures:
are chief executive-driven
maintain a heightened sense of awareness
utilize a digital security guidance council
establish timetables for success and monitor progress
drive an enterprise-wide approach
are chief executive-driven
maintain a heightened sense of awareness
utilize a digital security guidance council
establish timetables for success and monitor progress
drive an enterprise-wide approach
The commitment of organization’s personnel to the principles of security will determine the success or failure of the digital security program.
The commitment of organization’s personnel to the principles of security will determine the success or failure of the digital security program.
42 EESecurity & Technology SolutionsSecurity & Technology Solutions
For More Information…For More Information…
Mark Doll
Americas Director,
Security & Technology Solution
Ernst & Young LLP
Phone: 408-947-4981
E-mail: [email protected]
Web site: ey.com/security
Security Hotline: 800-706-2663
Mark Doll
Americas Director,
Security & Technology Solution
Ernst & Young LLP
Phone: 408-947-4981
E-mail: [email protected]
Web site: ey.com/security
Security Hotline: 800-706-2663